commit 83642238c058b29e6f433df668bf5b93af5c8be9 Author: CentOS Sources Date: Tue Mar 28 09:35:27 2023 +0000 import python-mako-1.1.4-6.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ec44a78 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/rel_1_1_4.tar.gz diff --git a/.python-mako.metadata b/.python-mako.metadata new file mode 100644 index 0000000..bb18fec --- /dev/null +++ b/.python-mako.metadata @@ -0,0 +1 @@ +557b3318679d7675c2b1fe00bb2e744f47a53c2a SOURCES/rel_1_1_4.tar.gz diff --git a/SOURCES/python-mako-1.1.14-CVE-2022-40023.patch b/SOURCES/python-mako-1.1.14-CVE-2022-40023.patch new file mode 100644 index 0000000..ba81e9b --- /dev/null +++ b/SOURCES/python-mako-1.1.14-CVE-2022-40023.patch @@ -0,0 +1,87 @@ +From 0969203d36a128f42d7e4025ca29b5dfa74e1a21 Mon Sep 17 00:00:00 2001 +From: Mike Bayer +Date: Mon, 29 Aug 2022 12:28:52 -0400 +Subject: [PATCH] fix tag regexp to match quoted groups correctly + +Fixed issue in lexer where the regexp used to match tags would not +correctly interpret quoted sections individually. While this parsing issue +still produced the same expected tag structure later on, the mis-handling +of quoted sections was also subject to a regexp crash if a tag had a large +number of quotes within its quoted sections. + +Fixes: #366 +Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0 +--- + doc/build/unreleased/366.rst | 9 +++++++++ + mako/lexer.py | 12 ++++++++---- + test/test_lexer.py | 4 ++++ + 3 files changed, 21 insertions(+), 4 deletions(-) + create mode 100644 doc/build/unreleased/366.rst + +diff --git a/doc/build/unreleased/366.rst b/doc/build/unreleased/366.rst +new file mode 100644 +index 0000000..27b0278 +--- /dev/null ++++ b/doc/build/unreleased/366.rst +@@ -0,0 +1,9 @@ ++.. change:: ++ :tags: bug, lexer ++ :tickets: 366 ++ ++ Fixed issue in lexer where the regexp used to match tags would not ++ correctly interpret quoted sections individually. While this parsing issue ++ still produced the same expected tag structure later on, the mis-handling ++ of quoted sections was also subject to a regexp crash if a tag had a large ++ number of quotes within its quoted sections. +\ No newline at end of file +diff --git a/mako/lexer.py b/mako/lexer.py +index 6226e26..c8eee6f 100644 +--- a/mako/lexer.py ++++ b/mako/lexer.py +@@ -295,20 +295,24 @@ class Lexer(object): + return self.template + + def match_tag_start(self): +- match = self.match( +- r""" ++ reg = r""" + \<% # opening tag + + ([\w\.\:]+) # keyword + +- ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*) # attrname, = \ ++ ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*) # attrname, = \ + # sign, string expression ++ # comma is for backwards compat ++ # identified in #366 + + \s* # more whitespace + + (/)?> # closing + +- """, ++ """ ++ ++ match = self.match( ++ reg, + re.I | re.S | re.X, + ) + +diff --git a/test/test_lexer.py b/test/test_lexer.py +index 9807961..7d4b146 100644 +--- a/test/test_lexer.py ++++ b/test/test_lexer.py +@@ -146,6 +146,10 @@ class LexerTest(TemplateTest): + """ + self.assertRaises(exceptions.CompileException, Lexer(template).parse) + ++ def test_tag_many_quotes(self): ++ template = "<%0" + '"' * 3000 ++ self.assertRaises(exceptions.SyntaxException, Lexer(template).parse) ++ + def test_unmatched_tag(self): + template = """ + <%namespace name="bar"> +-- +2.38.1 + diff --git a/SPECS/python-mako.spec b/SPECS/python-mako.spec new file mode 100644 index 0000000..370608c --- /dev/null +++ b/SPECS/python-mako.spec @@ -0,0 +1,184 @@ +Name: python-mako +Version: 1.1.4 +Release: 6%{?dist} +BuildArch: noarch + +# Mostly MIT, but _ast_util.py is Python licensed. +# The documentation contains javascript for search licensed BSD or GPLv2 +License: (MIT and Python) and (BSD or GPLv2) +Summary: Mako template library for Python +URL: http://www.makotemplates.org/ +Source0: https://github.com/sqlalchemy/mako/archive/rel_%(echo %{version} | sed "s/\./_/g").tar.gz +# https://bugzilla.redhat.com/show_bug.cgi?id=2133606 +Patch0: python-mako-1.1.14-CVE-2022-40023.patch + +BuildRequires: python3-devel +BuildRequires: python3-pytest +BuildRequires: python3-setuptools +BuildRequires: python3-markupsafe + +%global _description\ +Mako is a template library written in Python. It provides a familiar, non-XML\ +syntax which compiles into Python modules for maximum performance. Mako's\ +syntax and API borrows from the best ideas of many others, including Django\ +templates, Cheetah, Myghty, and Genshi. Conceptually, Mako is an embedded\ +Python (i.e. Python Server Page) language, which refines the familiar ideas of\ +componentized layout and inheritance to produce one of the most straightforward\ +and flexible models available, while also maintaining close ties to Python\ +calling and scoping semantics. + +%description %_description + + +%package -n python3-mako +Summary: %{summary} + +# Beaker is the preferred caching backend, but is not strictly necessary +Recommends: python3-beaker + +Obsoletes: python2-mako < 1.1.0-3 + +%{?python_provide:%python_provide python3-mako} + +%description -n python3-mako %_description + +This package contains the mako module built for use with python3. + + +%package doc +Summary: Documentation for the Mako template library for Python +Suggests: python3-mako = %{version}-%{release} + +%description doc %_description + +This package contains documentation in text and HTML formats. + + +%prep +%autosetup -p1 -n mako-rel_%(echo %{version} | sed "s/\./_/g") + + +%build +%py3_build + + +%install +%py3_install + +mv %{buildroot}/%{_bindir}/mako-render %{buildroot}/%{_bindir}/mako-render-%{python3_version} +ln -s ./mako-render-%{python3_version} %{buildroot}/%{_bindir}/mako-render-3 +ln -s ./mako-render-%{python3_version} %{buildroot}/%{_bindir}/mako-render + +# These are supporting files for building the docs. No need to ship +rm -rf doc/build + + +%check +pytest-3 + + +%files -n python3-mako +%license LICENSE +%doc CHANGES README.rst examples +%{_bindir}/mako-render +%{_bindir}/mako-render-3 +%{_bindir}/mako-render-%{python3_version} +%{python3_sitelib}/mako/ +%{python3_sitelib}/Mako-*.egg-info/ + +%files doc +%doc doc + + +%changelog +* Thu Nov 17 2022 David King - 1.1.4-6 +- Fix CVE-2022-40023 (#2133606) + +* Tue Aug 10 2021 Mohan Boddu - 1.1.4-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 1.1.4-4 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Mon Mar 29 2021 David King - 1.1.4-3 +- Remove unnecessary python3-mock BuildRequires + +* Wed Jan 27 2021 Fedora Release Engineering - 1.1.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Jan 14 19:55:31 CET 2021 Petr Viktorin - 1.1.4-1 +- Update to version 1.1.4 +- Avoids test warnings on Python 3.10 + Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1907474 + +* Fri Jun 26 2020 Charalampos Stratakis - 1.1.3-1 +- Update to 1.1.3 (#1808872) + +* Fri May 22 2020 Miro Hrončok - 1.1.1-2 +- Rebuilt for Python 3.9 + +* Mon Feb 10 2020 Miro Hrončok - 1.1.1-1 +- Update to 1.1.1 (#1787962) (#1793184) + +* Thu Jan 30 2020 Fedora Release Engineering - 1.1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 07 2020 Randy Barlow - 1.1.0-4 +- Fix FTBFS with pytest-5 by dropping a BR on python-nose (mako does not use nose). + +* Fri Nov 15 2019 Miro Hrončok - 1.1.0-3 +- Subpackage python2-mako has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Fri Oct 11 2019 Miro Hrončok - 1.1.0-2 +- Rename the Python-versioned executables not to start with "python" +- Make mako-render Python 3 on Fedora 32+ + +* Tue Sep 03 2019 Randy Barlow - 1.1.0-1 +- Update to 1.1.0 (#1725969). +- https://docs.makotemplates.org/en/latest/changelog.html#change-1.1.0 + +* Sun Aug 18 2019 Miro Hrončok - 1.0.12-4 +- Rebuilt for Python 3.8 + +* Thu Aug 15 2019 Miro Hrončok - 1.0.12-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 1.0.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jun 05 2019 Randy Barlow - 1.0.12-1 +- Update to 1.0.12 (#1708706). +- https://docs.makotemplates.org/en/latest/changelog.html#change-1.0.12 + +* Wed Apr 17 2019 Miro Hrončok - 1.0.9-1 +- Update to 1.0.9 (#1698191, #1700055) + +* Wed Mar 20 2019 Miro Hrončok - 1.0.8-1 +- Update to 1.0.8 (#1470902, #1690902) + +* Wed Mar 20 2019 Miro Hrončok - 1.0.7-1 +- Update to 1.0.7 (#1470902) + +* Sat Feb 02 2019 Fedora Release Engineering - 1.0.6-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 1.0.6-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 1.0.6-10 +- Rebuilt for Python 3.7 + +* Wed Mar 28 2018 Petr Viktorin - 1.0.6-9 +- Make python-beaker an optional dependency +- Add missing python_provide for python3-mako +- Conditionalize the Python 2 subpackage +- Modernize the specfile + +* Mon Feb 12 2018 Iryna Shcherbina - 1.0.6-8 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 1.0.6-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild